2FA Codes + Backups

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

CredulousDane

Well-known member
Sep 26, 2020
58
6
Hi, I'm simply searching for tips to how to save all these QR codes as well as backup strings that usually follow every new 2FA setup.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) but I'm thinking about taking a whole day out of the calendar and fix this once and for all. Keep QR codes for everything + backup stings - but what do I do next?

How do you do it? Do you have it several locations or how?
 
Hi, I'm simply searching for tips to how to save all these QR codes as well as backup strings that usually follow every new 2FA setup.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) but I'm thinking about taking a whole day out of the calendar and fix this once and for all. Keep QR codes for everything + backup stings - but what do I do next?

How do you do it? Do you have it several locations or how?
@Steve prints them out and keeps them in a folder.
 
  • Like
Reactions: CredulousDane
A good password manager like Bitwarden or 1Password let's you save the 2FA credential with the user name and password. I do this with Bitwarden and only need to protect this single account with a third-party authenticator. I use Authy, which allows backing up to multiple devices, or you can print the QR code if you like.

Some may argue that saving the 2FA credential along with the user name and password defeats the purpose. I'd like to hear those arguments.
 
Well there's an additional complication. Any good site will ALSO require you to backup like 10 one-time login codes in case you should lose your 2FA ability. (You would use one of them to log in and change the 2FA or disable it, as appropriate.)

Right now I store the text version of the 2FA string (which would be a pain if I had to re-enroll) into my "system" (basically my Password Manager's notes field for the site) along with the 10 one-time login codes. This means if my Password Manager ever gets hosed, so does everything, but well, you gotta put some faith somewhere, right? Upon my passing, I want to be able to hand off my Password Manager as the one thing someone needs to know.
 
  • Like
Reactions: CredulousDane
For starters, things will become clearer once you realize the key string is the only part of the QR code that is critical or of any importance.

Read one of your QR codes in any smartphone QR app, and it will reveal the QR code is nothing more than a few plain-text strings. The key string is one of those fields, and is the only field that is used to generate those 6-digit numeric codes an authenticator displays when you use it. There may be a couple other fields, but they are merely for the user's convenience, such as a "name" field to help the user differentiate one TOTP token from another. You can add, remove, or edit those extra fields -- which I regularly do -- and they won't affect the calculation of those 6-digit codes, since authenticators just ignore them anyway.

There is nothing else unique about the QR code.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) [...] How do you do it? Do you have it several locations or how?

The key string is the only thing critical to backup. If you save the QR code, you're de facto saving the key string because that's what is embedded in the QR code, so it's effectively the same thing as saving the key string in a text file. You can extract the key string from the QR code, and you can generate a new QR code from the text string, so I don't think one way is inherently any better than the other.

That said, for convenience I do both. I take screen shots of the QR codes and drop them in a small Veracrypt container, and also save copies of the text string. (Your USB stick is effectively the same thing as my Veracrypt.) QR screenshots are convenient when I need to set up the TOTP token on a different smartphone -- just pull up the picture on the computer and point the smartphone camera at the screen.

I also copy the alphanumeric key string and put it in the Notes field of my password manager (I use Bitwarden). The text version is useful for cut-and-paste setup of the token on authenticators that can't read QR codes, such as on a desktop computer.

Of course, you can save backups in any password manager of your choice, so Bitwarden isn't unique there. As an aside, though, I'll mention that the paid version of Bitwarden activates the TOTP function within the Bitwarden app or extension, so besides just holding a backup of the string you can also use Bitwarden in lieu of other authenticators to generate a 6-digit code whenever you need it.

Like your passwords, just follow the same best practices for backing up those TOTP key strings. Maintain multiple copies, on multiple media, in multiple locations, and use the same techniques you're already familiar with (good passwords, yada, yada) to secure those copies.

FWIW, my webpage, "Understanding Two-Factor Authentication", has some other helpful tips.
 
  • Like
Reactions: CredulousDane
I'm not saying this is a great idea. Just an idea. But, when I set up a new 2FA site or service, I store the QR code in the authentication apps on my phone, tablet, and one or two PC's. In the case of the tablet or phone, the QR Droid software keeps a history (optional) of all QR codes scanned. So, I could pull up a picture of the QR codes from that history. I keep the recover codes that @PHolder mentioned in a notes field along with the LastPass login data for the website.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: CredulousDane
I simply have an encrypted VeraCrypt container and keep the QR and/ or it's text sting in files inside the container. Each file is named with whatever site the credential(s) are for. That way I can keep the encrypted container in multiple places safely.
 
  • Like
Reactions: CredulousDane
Alright... I've got my 2FA folder in 4 locations now - 3 encrypted USBs and 1 small encrypted partition - and one of the USBs is at a friend's house.

The password for the encrypted devices is of course available, not right next to them but it can be found. For me, the encryption is merely in case I should lose the device or its life should come to an end. I have experienced USBs becoming copy protected / read only / corrupted. Would not be cool with my 2FAs on it ;) (but of course it would then just have to feel the head of a hammer)

In the last SN episode Leo talks about an authenticator called 2FAS, I think, and I'm thinking of switching to that - seems it could be a better choice than Google's.
 
Exactly, the encryption is in case of a lost device. I carry USB drives with encrypted stuff on them as an 'off site backup'. I've often said if I were to loose it I am not concerned that it's content would be decrypted, but more so that I would have to buy a replacement device. I as I am sure many others have had the same issue with a USB device going bad in one way or another, hence the multiple copies and places. I think pretty much everyone who listens to SN does that.